Re: [TLS] draft-green-tls-static-dh-in-tls13-01

"Ackermann, Michael" <> Fri, 07 July 2017 14:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id F074E1315F0 for <>; Fri, 7 Jul 2017 07:40:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.09
X-Spam-Status: No, score=-4.09 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)"
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id c1YXLVJpT9nm for <>; Fri, 7 Jul 2017 07:40:47 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8F6E9131538 for <>; Fri, 7 Jul 2017 07:40:47 -0700 (PDT)
Received: from (ZixVPM []) by (Proprietary) with SMTP id B6A2EC241B for <>; Fri, 7 Jul 2017 09:40:46 -0500 (CDT)
Received: from (unknown []) by (Proprietary) with SMTP id 15D31C1617; Fri, 7 Jul 2017 09:40:46 -0500 (CDT)
Received: from (unknown []) by IMSVA (Postfix) with ESMTP id D212992069; Fri, 7 Jul 2017 10:40:45 -0400 (EDT)
Received: from (unknown []) by IMSVA (Postfix) with ESMTP id 9A60592053; Fri, 7 Jul 2017 10:40:45 -0400 (EDT)
Received: from (unknown []) by (Postfix) with ESMTPS; Fri, 7 Jul 2017 10:40:45 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-bcbsm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=EmBEwGXn11yulHvYA2fFxsSiCTzPk7lflxb52z9Udcs=; b=iyvvgyipA2WzuqIyZeAsgGBS0qOW0CmIGKFyIZKJ6hjRCn8KuvpLk7mrQ8fENEJSbb3oFiH1qF4/zmTHCQcI+PzxH80EU1LZ2m4guikCGna7j1DDzbzEZntGDy+zuSzWc/4Vic4DyqDXrgGnER+VBKZPuCs+N6Diccjn1UI6iHw=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1220.11; Fri, 7 Jul 2017 14:40:43 +0000
Received: from ([]) by ([]) with mapi id 15.01.1220.018; Fri, 7 Jul 2017 14:40:43 +0000
From: "Ackermann, Michael" <>
To: Matthew Green <>, "" <>
Thread-Topic: [TLS] draft-green-tls-static-dh-in-tls13-01
Thread-Index: AQHS9u8RCuLDt7dBiEuHKxJZjnlNtqJIbvIQ
Date: Fri, 7 Jul 2017 14:40:43 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results:; dkim=none (message not signed) header.d=none;; dmarc=none action=none;
x-originating-ip: []
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR14MB1367; 20:/jU/h6Q53+6JHVutF8L1AMBF5o1Fwej4t7lmZJIVt9WrlxhJnJy+dC9NPGZkMRr4Ww7I8NvEczUbK+dquyceTJXllBsYAmK1kXQYpcdYVh994jxGxiX1a6j8+wsPhjzPhyKa441LUvqndk8edLsfyF/qBRb0RkBsQ7nfhqfl1y8=
x-ms-office365-filtering-correlation-id: 9f51b637-1c15-4587-e7b9-08d4c54625cc
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254075)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:CY4PR14MB1367;
x-ms-traffictypediagnostic: CY4PR14MB1367:
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(151999592597050)(278178393323532)(26388249023172)(236129657087228)(192374486261705)(90097320859284)(48057245064654)(148574349560750)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(8121501046)(5005006)(2017060910064)(93006095)(93001095)(10201501046)(3002001)(100000703101)(100105400095)(6041248)(20161123564025)(20161123560025)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123555025)(20161123562025)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CY4PR14MB1367; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CY4PR14MB1367;
x-forefront-prvs: 0361212EA8
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39840400002)(39450400003)(39410400002)(39400400002)(377454003)(77096006)(790700001)(102836003)(478600001)(74316002)(86362001)(3660700001)(189998001)(7696004)(2906002)(8676002)(8936002)(81166006)(5660300001)(2950100002)(3280700002)(7736002)(9686003)(14454004)(66066001)(6506006)(39060400002)(54896002)(2900100001)(33656002)(229853002)(38730400002)(25786009)(99286003)(6436002)(6246003)(55016002)(230783001)(19609705001)(6306002)(80792005)(236005)(3846002)(6116002)(606006)(2501003)(76176999)(53936002)(54356999)(72206003)(53546010)(50986999)(966005); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR14MB1367;; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR14MB1368937FF0CF489ABD97E2C4D7AA0CY4PR14MB1368namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Jul 2017 14:40:43.8330 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 6f56d3fa-5682-4261-b169-bc0d615da17c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR14MB1367
X-VPM-GROUP-ID: 72d19997-c103-4824-ac63-44eec0608427
X-VPM-MSG-ID: 1013eb75-3d4b-4bcb-9ded-b79a2e9b797d
Archived-At: <>
Subject: Re: [TLS] draft-green-tls-static-dh-in-tls13-01
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 07 Jul 2017 14:40:50 -0000

This document is extremely well written and describes the needs of enterprises well,  IMHO.    I believe and have heard,  there are similar needs beyond the enterprise realm,  but since we are the only ones formally expressing concerns, so be it.

The detail on the implementation,  as well as the details on why other alternative solutions are not viable/sufficient,  is very good and will help focus any related conversations.

I very much hope this can be on the agenda at IETF 99.
Thanks for your very productive efforts on this.

From: TLS [] On Behalf Of Matthew Green
Sent: Friday, July 7, 2017 3:03 AM
Subject: [TLS] draft-green-tls-static-dh-in-tls13-01

The need for enterprise datacenters to access TLS 1.3 plaintext for security and operational requirements has been under discussion since shortly before the Seoul IETF meeting. This draft provides current thinking about the way to facilitate plain text access based on the use of static (EC)DH keys on the servers. These keys have a lifetime; they get replaced on a regular schedule. A key manager in the datacenter generates and distributes these keys.  The Asymmetric Key Package [RFC5958] format is used to transfer and load the keys wherever they are authorized for use.

We have asked for a few minutes to talk about this draft in the TLS WG session at the upcoming Prague IETF. Please take a look so we can have a productive discussion.  Of course, we're eager to start that discussion on the mail list in advance of the meeting.

The draft can be found here:

Thanks for your attention,
Matt, Ralph, Paul, Steve, and Russ

The information contained in this communication is highly confidential and is intended solely for the use of the individual(s) to whom this communication is directed. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information is prohibited. Please notify the sender, by electronic mail or telephone, of any unintended receipt and delete the original message without making any copies.
 Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are nonprofit corporations and independent licensees of the Blue Cross and Blue Shield Association.